Transcription

1 Report No September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning to detect vulnerabilities Area for Improvement 2: The agency should remediate current potential risks Management Comments and Our Analysis... 5 Objective, Scope and Methodology i -

2 Results of Evaluation The purpose of this evaluation was to answer the question: Is the ARC network's perimeter defense effective? Yes. The ARC network s perimeter defense is effective. A penetration test is an attempt to breach a network and gain unauthorized access to its resources. On July 1, 2013, we conducted a penetration test of the ARC network using public information. Our search for public information on the ARC network servers identified one potential targets, and the office of CIO provided its network range of 16 IP addresses to limit the scope of the scan so it did not impact non-arc equipment. We used software to detect servers and their listening service ports, and then we scanned these servers for vulnerabilities. The ARC s computer network, the ARC network, has over 100 systems, consisting of servers, desktops, laptops, printers, phones, and network infrastructure devices. Every computer is connected to the network with a unique IP (Internet Protocol) address. For example, a desktop PC on the ARC network might have an address like A typical Windows PC could have more than 20 listening ports. Each port serves a function; for instance, an Internet browser connects to port 80 to request web pages from a server, and servers use port 25 to transfer messages. It would be normal for a network of 100 systems to present 2,000 listening ports, all potential targets for attack. The goal of perimeter defense is to minimize the number of exposed ports, known as the attack surface. A network with no open ports is not a network: open ports are required to communicate. Devices such as firewalls are configured to limit the number of ports exposed to the Internet, and newer technologies such as Intrusion Detection and Protection Systems (IDPS) can provide additional protection by detecting and blocking scans meant to identify open ports. Several effective characteristics of the ARC network s perimeter defense include the following: The ARC network s firewalls effectively limit the exposure of internal systems to the Internet. Inside the ARC network, 5,000 or more service ports might be actively listening and responding to requests. From the Internet, only 8 systems and 17 ports were discovered in our scan of the ARC network. We were unable to exploit the systems found to gain unauthorized access to the ARC network. One system allowed registration for access. When we attempted to create a user account, the system denied this request because the details didn t match some - 1 -

3 requirement. The preregistration process deployed by ARC effectively helps prevent unauthorized access. In summary, the ARC network s perimeter defense effectively prevented our intrusion attempts. An effective perimeter defense is a significant component of a complete network security program. An attacker can exploit a network in a number of ways. In general, she can attack the network perimeter as we did, or she can bypass the perimeter by tricking a user into letting her in. Means of accomplishing this could be as simple as having a user open a malicious or visit an infected website, or by leaving an infected USB drive to be found by an employee near the front door of the building. While the ARC network s current perimeter defense is currently effective, continuous attention and improvement are required to ensure that it remains effective in the future. Our penetration testing did reveal several potential areas for improvement: the agency should implement ongoing scanning to detect vulnerabilities, and it should remediate current potential risks vulnerabilities. These areas for improvement are detailed below. Areas for Improvement Area for Improvement 1: The agency should implement ongoing scanning to detect vulnerabilities. Networks and their systems evolve over time, either deliberately or by chance. Secure systems installed today will become insecure over time due to newly discovered vulnerabilities in their underlying operating system or application software. Furthermore, any time changes are made to the existing environment, vulnerabilities can be inadvertently introduced. The best means of mitigating this risk is through vulnerability scanning, on both a periodic basis and on-demand any time a change is made to the environment. Even though it is licensed to use software that can perform vulnerability scanning of its perimeter, the ARC is not currently performing this function. The penetration test we performed as part of this evaluation found several potential vulnerabilities. Because previous tests were not performed, it was not known how long these systems had been vulnerable. The longer systems remain vulnerable, the more likely it is that they will be exploited. Regular testing would have identified these vulnerabilities and enabled timely remediation

4 In order to execute the mission of the agency, senior management must remain informed of risks to their underlying systems. Regular perimeter scans are a critical source of information describing risks to an agency s information systems. Recommendation 1: Perform scheduled, routine scanning of the perimeter on at least a monthly basis. Recommendation 2: Perform perimeter scans after new hardware or software is introduced to the ARC perimeter network. Area for Improvement 2: The agency should remediate current potential risks. The penetration test we performed identified several potential risks in the agency s webservers. We were unable to exploit them using the tools and methods within our scope of testing, but a determined attacker could use these vulnerabilities to exploit the ARC s systems or its users. The Commission s web time and attendance system allows users to enter their username and passwords in clear text, instead of requiring encryption, as seen below: - 3 -

5 This makes it possible for someone to intercept these credentials, and acquire usernames, passwords, and unauthorized access to the system. The Commission should encrypt the submission of passwords on its websites to eliminate this risk to its users and systems. In our scan of the network perimeter, we identified several ports responding to the Internet that were not necessary for business communications. These ports were found on the Commission s on the previously mentioned web time and attendance system and its firewall product: Responding ports provide potential entry-points to the network for authorized and unauthorized users alike. The Commission should limit responding ports to those necessary for business communications, and block access to those not needed for that purpose. The ARC has a responsibility to control access to its data, and to protect users of its public websites from malicious activity. It is possible to improve security by reconfiguring the existing devices to remediate the issues found in the perimeter scan. Recommendation 3: Implement SSL to encrypt access to the web time and attendance webserver. Recommendation 4: Block access to ports not necessary for business communications

6 Management Comments and Our Analysis On July 26th, 2013, management provided comments on the draft evaluation report. They concurred with our assessment that the perimeter network defense was effective, and that the defense could be further improved through ongoing vulnerability scanning and the remediation of current potential risks. They subsequently provided management decisions that would address each of the four recommendations. At the time of the final report, the Commission was arranging for a vendor to conduct periodic scans of its Internet-facing network. It was also continuing to attempt to encrypt the Time and Attendance website. Objective: Scope: Objective, Scope and Methodology Is the ARC network's perimeter defense effective? This evaluation included all externally available wired nodes on The ARC network. The device list included but was not limited to all servers, workstations, routers, gateways and firewalls. The access types attempted included login attempts for the purposes of information gathering, privilege escalation, and establishment of jumping points to other areas of The ARC network infrastructure. Methodology: 1. From an unfiltered IP address, performed unauthenticated network and device discovery using a toolset to include but not limited to Nessus, Wireshark, and other applications within the BackTrack/Kali tool suite. 2. Reviewed and analyzed protocol encryption types, as applicable. 3. Performed automated and manual login attacks

The U.S. International Trade Commission is an independent, nonpartisan, quasi-judicial federal agency that provides trade expertise to both the legislative and executive branches of government, determines

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report The Department's Configuration Management of Non-Financial Systems OAS-M-12-02 February 2012 Department

8 Steps for Network Security Protection cognoscape.com 8 Steps for Network Security Protection Many small and medium sized businesses make the mistake of thinking they won t be the target of hackers because

Evaluation Report OIG-08-035 INFORMATION TECHNOLOGY: Network Security at the Office of the Comptroller of the Currency Needs Improvement June 03, 2008 Office of Inspector General Department of the Treasury

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current

Penetration I.T. Security Specialists ing 1 about us At Caretower, we help businesses to identify vulnerabilities within their security systems and provide an action plan to help prevent security breaches

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Audit Report Management of Western Area Power Administration's Cyber Security Program DOE/IG-0873 October 2012 Department

Useful Tips for Reducing the Risk of Unauthorized Access for Network Cameras Important System administrators are advised to read. Overview and Use of this Guide Objectives This guide provides additional

Test Out Online Lesson 12 Schedule Section 12 MUST BE COMPLETED BY: 4/22 Section 12.1: Best Practices This section discusses the following security best practices: Implement the Principle of Least Privilege

UC Merced CyberRisk Update April 13, 2016 High level plan Opera&onally we are focused on vulnerability scanning/management/remedia&on. Strategically we are conduc&ng scoping & budge&ng exercises for the

How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.

The Future Is SECURITY THAT MAKES A DIFFERENCE Overview of the 20 Critical Controls Dr. Eric Cole Introduction Security is an evolution! Understanding the benefit and know how to implement the 20 critical

v0.3 6, July 2013 What is a VPN? Virtual Private Network or VPN is a mechanism to extend a private network across a public network such as the Internet. A VPN creates a point to point connection or tunnel

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

1 2 3 An overwhelming majority of IaaS clouds leverage virtualization for their foundation. 4 With the use of virtualization comes the use of a hypervisor. Normally, the hypervisor simply provisions resources

How to build a security assessment program Dan Boucaut Agenda 1 Problem statement 2 Business case 3 How to avoid creating more problems Problem statement Security assessments are hard, costly and may take

defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been

Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

QUESTIONS ANSWERS Q1 How many locations and can all locations be tested from a A1 5 locations and not all tests can be performed from a central location? central location. Q2 Connection type between location

This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out

Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus

White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing

Cyber Security in Taiwan's Government Institutions: From APT To Investigation Policies Ching-Yu, Hung Investigation Bureau, Ministry of Justice, Taiwan, R.O.C. Abstract In this article, we introduce some

IBM Global Technology Services Statement of Work for IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing The information in this Statement of Work may not be disclosed

General Questions 1. Why is the customer having the penetration test performed against their environment? Assess vulnerabilities in order to improve security and protect client information. 2. Is the penetration

INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged

Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year

Managed Security Managed Security MANAGED SECURITY SOLUTIONS I would highly recommend for your company s network review... were by far the best company IT Manager, Credit Management Agency Presenting IT